How to tackle the IAM challenges of multinational companies
Managing identities and access entitlements is becoming increasingly challenging in a rapidly changing business, regulatory and IT environment, but those challenges are compounded for multinational organisations due to the distributed nature of their operations.
Identity and access management (IAM) is especially challenging for multinational companies that need to manage the identities of employees, partners, customers, consumers, and devices wherever the company does business, while also complying with a range of data security and privacy regulations.
A global IAM capability is also challenging because of the need for consistent management of identity and entitlements across the globe to enable and control access to cloud-based applications and data, to federated applications, and to legacy applications.
Within the broader IAM challenge, there are several other specific challenges facing multinational organisations, often related to the fact that IAM is run differently in each region or location where the company operates. These specific challenges include:
- Being able to deal with customers and employees with identities originally registered in one geography using their identities to access services and systems in another geography.
- Delivering IAM services using different IAM technology stacks, processes, operating models, and maturity levels across the different company locations.
- Supporting different languages in the different countries where the company operates.
- Ensuring fast time to market for products and services requiring consistent IAM for employees, partners, customers/consumers in response to market needs/opportunities.
- Enabling fast, simultaneous rollouts for new applications to new markets.
- Standardisation and automation to reduce costs and risk of in-house solutions.
- Built-in support for the internet of things (IoT), DevOps models and local DevOps teams.
- Retaining control of infrastructure, changes, deployments, and interfaces.
- Complying with specific regional and local regulatory requirements in addition to global regulatory requirements in terms of data protection, information security, product safety and quality assurance, export regulation, and financial regulation.
IAM is a very common element to regulations, with each type of regulation often setting some requirements for managing IDs, onboarding, identification of customers, authentication, access control and access governance.
To deal with these regulations, multinational companies need a strong IAM that is flexible enough to be strong in some regions, but more relaxed in others.
Shift to as-a-service model
In the digital era, the most significant trend is towards the provision and consumption of all IT as cloud-based services, including IAM. As a growing number of workloads and IT services move to the cloud, it makes sense to move IAM to the cloud as well. Moving IAM to the cloud helps avoid the integration, management, and licensing complexity of hybrid IT environments where some workloads run on-premise while others run in parallel in the cloud.
However, cloud-based IAM services will still need to support hybrid IT environments for the foreseeable future and at the same time will need to evolve to include support not only for employees, but also for business partners, customers, consumers and non-human entities that have identities that need to be managed, such as internet-connected devices that make up the internet of things.
Identity-as-a-service (IDaaS) solutions have appeared on the market in recent years, in line with the as-a-service trend. These IDaaS solutions offer several key benefits that could help multinational organisations to tackle the challenge of running a global IAM
Since first appearing on the market, IDaaS offerings have gradually matured to include identity management, entitlement management, authentication and authorisation, which are the key components of IAM, adding the depth required by modern enterprises to reduce security and compliance risk.
The IDaaS market has registered significant growth in the past few years because of the ability of IDaaS to enable organisations to:
- Achieve better time-to-value proposition over on-premises IAM deployments
- Extend IAM capabilities to meet the security requirements of growing software as a service (SaaS)
- Adopt global IAM standards and practices with access to industry expertise
- Reduce internal IAM costs and efforts to keep up with the market trends
- Limit internal IAM failures in project delivery and ongoing operations
The shift of business workloads to the cloud, however, is a long-term journey for most businesses. Similarly, the shift from on-premise IAM to IDaaS services, while at the same time delivering comprehensive support for IAM capabilities across all target systems, regardless of their deployment model, is also a multi-step journey.
IAM as a managed service
Running comprehensive IAM capabilities as a managed service is one of the viable options open to companies on that journey to a more modern IT environment based on a service-based model that supports the use of standardised and consistent services around the globe that can deliver as a utility all the identity services an organisation requires, including registration, verification, governance, security and privacy.
For most businesses this will mean making fundamental changes to their IT architecture to become more agile and flexible by separating identity and applications, and providing the backend systems required to make all the necessary connections using application program interfaces (APIs) that bridge services, microservices and containers in the cloud (public and private) and on-premise.
These changes will result in a converged digital identity backend or “identity fabric” that refers to a set of connected enabling IT components that work together as single entity.
Define your future Identity Fabric
An identity fabric, therefore, is a concept, not a single tool, that is about connecting every user to every service and is centred around managing all types of identities in a consistent manner, managing access to services, and supporting federating external identities from third-party providers as well as the organisation’s own directory services.
The concept of Identity Fabrics refers to a logical infrastructure that enables access for everyone and everything from anywhere to any service within a consistent framework of services, capabilities and building blocks that are part of a well-defined, loosely coupled overall architecture that is ideally delivered and used homogeneously via secure APIs.
Organisations can use the Identity Fabric paradigm to plan their future IAM capability and how this will work with digital services, SaaS offerings, and on-premises legacy IAM systems. The concept can also be used to identify the main capabilities and services that will be needed, and provides guidance for how to implement them using a modern architecture to modernise and future proof IAM.
Identify Fabrics are focused on delivering the APIs and the tools required by the developers of the digital services to support advanced approaches to Identity Management, such as adaptive authentication, auditing capabilities, comprehensive federation services, and dynamic authorisation through open standards like OAuth 2.0 and OpenID Connect.
Viability of managed IAM services
IDaaS is the future, and right now managed service providers that operate IDaaS on a global scale are a viable option for multinational companies because they cater for the hybrid IT reality, while at the same time enabling a gradual transition to a future IT environment provided entirely by cloud-based services. Comprehensive managed IAM solutions also enable a high degree of customisation that is typically required by multinational companies, while still being run as a service.
In choosing a fully managed IAM service, organisations should ensure that across all locations it provides:
- Consistent technology stacks
- Consistent processes
- A consistent operating model
- Flexibility for localisation (language and regulations, for example)
- Regulatory compliance
- Multi-language support
A growing number of organisations are shifting their IAM to the as-a-service model in the short to medium term as a cost-effective way of delivering an efficient global IAM that is flexible enough to meet local language, process, and regulatory requirements.
Key features of a comprehensive IAM capability include:
- Support for existing directory services on-premise and in the cloud
- Integration of all sources of identity information
- Connectors to a broad variety of target systems on-premise and in the cloud
- Self-service facilities for things like password management and access requests
- Support for mobile interfaces to access key functionality
- Access request management and access review processes
- Segregation of duties management and entitlement management
- Central administrative user interface (UI)
- Strong set of APIs and support for hybrid IT environments
- Modern architecture based on microservices and containers
IAM-as-a-service offerings that have all or most of these features provide a viable short-to-medium-term option for organisations unable to move immediately to the cloud and a services-based model for IAM. Managed IAM services allow companies to deploy a modern, scalable IAM capability quickly and easily to benefit from a balance between customisation and standardisation, and faster roll out of applications and services using automated, standardised IAM processes.
Manufacturers and other multinational companies consider switching their Identity and Access Management to a managed IAM service provider. This will enable organisations to meet the challenges of fulfilling organisation-specific requirements, supporting complex hybrid environments, operating IAM infrastructures in global environments, and allowing for a gradual step towards an easy-to-manage IAM, without any trade-off in depth and breadth of capabilities.
Running IAM globally as a service provides the benefits of a global IAM without the risks associated with IAM implementations. Global IAM as a service ensures a single, modern operating model across all regions, well-defined accountability and responsibility, well defined IAM services backed by SLAs, and consistency and flexibility to meet local language, process and regulatory requirements. This approach avoids all implementation challenges, while addressing the key global IAM challenges of scalability, consistency, cost, and regulatory compliance.
IAM as a managed service, therefore, provides a potential solution to many of the challenges facing multinational companies, but all outsourcing – including managed services – come with their own challenges, which organisations should consider carefully before making a commitment. Any organisation opting for a managed service should ensure that:
- The organisation defines its own IAM, the capabilities, services etc, while the managed service provider (MSP) merely implements these, if necessary, and operates them
- That it is possible to change service providers easily and that there is no long-term lock-in to the MSP
- That the MSP offers a cloud-style deployment model that is flexible, can scale as necessary, and offers pay-per-use licensing